{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/solarwinds-orion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SolarWinds Orion"],"_cs_severities":["medium"],"_cs_tags":["supply-chain","solarwinds","command-execution","powershell","cmd"],"_cs_type":"advisory","_cs_vendors":["SolarWinds"],"content_html":"\u003cp\u003eThis rule detects suspicious command execution via SolarWinds processes. Following the SolarWinds supply chain compromise (SUNBURST), adversaries may leverage legitimate SolarWinds processes to execute arbitrary commands on compromised systems. This involves spawning command-line interpreters like \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e as child processes of various SolarWinds executables. This activity could lead to further exploitation, lateral movement, and data exfiltration. This detection focuses on identifying parent-child process relationships where SolarWinds processes unexpectedly launch command interpreters, indicating potential malicious activity. The initial compromise occurred in 2020, impacting numerous organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access through a supply chain compromise, potentially via a trojanized SolarWinds Orion software update.\u003c/li\u003e\n\u003cli\u003eA legitimate SolarWinds process, such as \u003ccode\u003eConfigurationWizard.exe\u003c/code\u003e, \u003ccode\u003eNetFlowService.exe\u003c/code\u003e, or \u003ccode\u003eSolarWinds.BusinessLayerHost.exe\u003c/code\u003e, is used to execute malicious code.\u003c/li\u003e\n\u003cli\u003eThe compromised SolarWinds process spawns a child process, \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e, to execute commands.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e process executes commands to perform reconnaissance, such as gathering system information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command interpreter to download and execute additional malicious payloads or tools.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating scheduled tasks or modifying registry keys via the command interpreter.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement by using the command interpreter to access other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data from the compromised systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in widespread system compromise, data theft, and disruption of services. Organizations that use SolarWinds Orion software are particularly at risk. The original SUNBURST campaign impacted thousands of organizations globally, including government agencies and Fortune 500 companies. The consequences include significant financial losses, reputational damage, and potential legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details to allow detection of malicious command execution (Sysmon, Windows Security Logs).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect suspicious SolarWinds child processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the specific SolarWinds parent process and the command-line arguments of the child process.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from SolarWinds processes for suspicious activity (network_connection log source).\u003c/li\u003e\n\u003cli\u003eReview and harden the security configuration of SolarWinds Orion software, following vendor best practices and security advisories.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-cmd-powershell/","summary":"This brief covers the detection of suspicious command execution, specifically Cmd.exe or PowerShell.exe, as child processes of legitimate SolarWinds executables, indicative of potential supply chain compromise and unauthorized command execution on Windows systems.","title":"Suspicious Command Execution via SolarWinds Process","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-cmd-powershell/"}],"language":"en","title":"CraftedSignal Threat Feed - SolarWinds Orion","version":"https://jsonfeed.org/version/1.1"}